Cloud Management: SSL
Sensitive data transmitted to and from your Moovweb project should be secured with SSL. SSL (Secure Sockets Layer), also known as TLS (Transport Layer Security) is a cryptographic protocol to communicate security over the Internet. SSL provides end-to-end data encryption and data integrity for all web requests.
When users visit secure domains on their devices that are set up on the Moovweb Cloud, a SSL certificate is needed. SSL certificates should be provisioned for all secure data that may pass through Moovweb.
The Moovweb Control Center allows system administrators to manage SSL certificates used by projects that deliver endpoint experiences for domains that make use of HTTPs. System administrators can find the following features built for SSL management:
- Proactive SSL Certificate Management: The Moovweb Control Center displays the status of all the SSL certificates as well as the remaining days until expiration.
- Notifications: Notifications are automatically sent via email when specific actions to manage SSL certificates are needed.
- Self-Service Certificate Upload: Upload, renew or access SSL certificate information from a central location in the system.
- SAN Certificate Support: Subject Alternative Name certificates are often used by large organization to secure multiple domains with a single certificate. Customers can use this type of certificate across multiple Moovweb projects.
Setting Up SSL Certificates
To begin, access the Control Center’s domain and SSL configuration page under the Project Settings. In the Domains section you can see all the domains that are transformed by Moovweb. You can configure SSL certificates for each or all domains associated with this project.
Go to the SSL certificate wizard by clicking the Configure button the appears next to list of domains:
If the “Configure” button is not displayed, your project needs SSL to be enabled for production. Please submit a ticket using our help center.
Follow the steps outlined in the Control Center’s SSL summary page. There are three steps to finish the SSL setup flow. First, click Generate CSR.
In this step, you need to select the domains that are secured by the SSL certificate. If you are building projects that use separate domains you can also select them as long as your account has access to these projects.
You will also need to enter your company information. Once you are finished, you can click “Generate” button to generate a Certificate Signing Request (CSR).
If the CSR is generated successfully, you can proceed to the next step: Upload Certificate. The certificate is provided by a third party. You will need to create a SSL certificate and upload it back into our system in order to complete the process. Once you have a certificate, you can securely upload it to Moovweb in the Control Center.
During any project development which requires testing on the Moovweb Cloud, organizations may elect to use self-signed certificates to run end-to-end testing. You may use a self-signed certificate for staging environments but be sure to install a valid production certificate before going live.
For production sites: You need to generate a SSL certificate in X.509 format. There are a number of places you can purchase a SSL certificate, including:
For development/test/staging sites: We suggest using free Let’s Encrypt certificates via acme.sh, a CLI tool available for macOS, Linux and Windows, and provides an easy way to issue/renew as many as needed.
Use the CSR generated via the Moovweb Control Center to issue/renew your certificate. In this example, we use the dns-01 challenge) which verifies control of the domain:
$ export AWS_ACCESS_KEY_ID=... $ export AWS_SECRET_ACCESS_KEY=... $ acme.sh --signcsr --csr example.com.csr --dns dns_aws [Sat Dec 1 19:48:57 PST 2018] Copy csr to: ~/.acme.sh/example.com/example.com.csr [Sat Dec 1 19:48:57 PST 2018] Signing from existing CSR. [Sat Dec 1 19:48:57 PST 2018] Getting domain auth token for each domain [Sat Dec 1 19:48:57 PST 2018] Getting webroot for domain='example.com' [Sat Dec 1 19:48:57 PST 2018] Getting new-authz for domain='example.com' [Sat Dec 1 19:48:58 PST 2018] The new-authz request is ok. [Sat Dec 1 19:48:58 PST 2018] Getting webroot for domain='www.example.com' [Sat Dec 1 19:48:58 PST 2018] Getting new-authz for domain='www.example.com' [Sat Dec 1 19:48:59 PST 2018] The new-authz request is ok. [Sat Dec 1 19:48:59 PST 2018] Found domain api file: ~/.acme.sh/dnsapi/dns_aws.sh [Sat Dec 1 19:49:00 PST 2018] Geting existing records for _acme-challenge.example.com [Sat Dec 1 19:49:02 PST 2018] TXT record updated successfully. [Sat Dec 1 19:49:02 PST 2018] Found domain api file: ~/.acme.sh/dnsapi/dns_aws.sh [Sat Dec 1 19:49:02 PST 2018] Geting existing records for _acme-challenge.www.example.com [Sat Dec 1 19:49:03 PST 2018] TXT record updated successfully. [Sat Dec 1 19:49:03 PST 2018] Sleep 120 seconds for the txt records to take effect [Sat Dec 1 19:51:06 PST 2018] Verifying:example.com [Sat Dec 1 19:51:08 PST 2018] Success [Sat Dec 1 19:51:08 PST 2018] Verifying:www.example.com [Sat Dec 1 19:51:11 PST 2018] Success [Sat Dec 1 19:51:11 PST 2018] Removing DNS records. [Sat Dec 1 19:51:12 PST 2018] Getting existing records for _acme-challenge.example.com [Sat Dec 1 19:51:13 PST 2018] TXT record deleted successfully. [Sat Dec 1 19:51:14 PST 2018] Getting existing records for _acme-challenge.www.example.com [Sat Dec 1 19:51:15 PST 2018] TXT record deleted successfully. [Sat Dec 1 19:51:15 PST 2018] Verify finished, start to sign. [Sat Dec 1 19:51:16 PST 2018] Cert success. -----BEGIN CERTIFICATE----- MIIFk... -----END CERTIFICATE----- [Sat Dec 1 19:51:16 PST 2018] Your cert is in ~/.acme.sh/example.com/example.com.cer [Sat Dec 1 19:51:17 PST 2018] The intermediate CA cert is in ~/.acme.sh/example.com/ca.cer [Sat Dec 1 19:51:17 PST 2018] And the full chain certs is there: ~/.acme.sh/example.com/fullchain.cer
After issuing and uploading the SSL certificate, you must confirm all the information is accurate. Moovweb will then provision it and present you with the status updates throughout the process.
The final step is to Upload Intermediate Certificate (if necessary). Intermediate certificates establish a chain of trust from your host-specific SSL certificate you provided to a trusted root certificate authority (CA) such as Let’s Encrypt which browser manufacturers trust to issue SSL certificates on the Internet.
SSL Certificate Status
The Moovweb Control Center provides various statuses for SSL certificates that aim to give system administrators information on the certificates for verification, reference or re-utilization purposes together with actions associated with the status of the certificate.
The following are the status and actions of SSL certificates in the Moovweb Control Center:
|(N/A)||Configure||No existing certificate has been uploaded to the system, start the SSL Certificate wizard|
|In progress||Continue||The certificate is being provisioned to the Moovweb cloud. The continue action lets you access the step in the SSL certificate provisioning where pending actions may be needed to complete the process.|
|Completed||Renew||The certificate has been successfully provisioned into the system. From the moment that a certificate is uploaded, the system will track the remaining number of days until the certificate expires using the following visual indications:
|Completed (Renewing)||Continue||The current certificate is getting renewed you can access the current active certificate’s information, and also access the step in the SSL certificate provisioning where pending actions might be needed to complete the process.|
Setting Up SSL Certificate Notifications
Every organization in the Moovweb Control Center can add a technical contact which is automatically registered to receive notifications related to SSL certificate status or that can be contacted by Moovweb in case direct communication is needed to troubleshoot issues affecting production sites.
To change the technical contact information, go to the organization’s membership page (click the gear icon next to the Current Account dropdown) and then select the Add Technical Contact.
The system will automatically generate the following notifications for the technical contact:
- Initiate renewal process
- Certificate is 45 days to expire
- Certificate expired